Recommended Network Configurations The following configurations are the supported types of connections from the customer’s site to Mitel’s hosted data center.

It is important that the WAN connectivity being utilized have sufficient guaranteed bandwidth to support the voice traffic that will be carried over it. The Best Effort SLAs on broadband connections often cause issues in voice service delivery, as this Best Effort is usually not good enough. This is particularly important where the WAN connection will be carrying both voice and other data traffic. For this reason, the Network Installer should carefully qualify any WAN connection services they will offer as part of their service or any other services provided by alternate providers to customer premise.

The Network Installer may choose to provide a Traffic Prioritization Device to minimize quality impacts due to a shared broadband network.

The customer or their IT representatives carry out all LAN configuration and support. This section is intended to give an overview of several different implementation scenarios, and what is required at the customer site to fulfill these.

VoIP voice quality depends on two key factors:

Available bandwidth

Voice priority mechanisms

There are Layer 2 and Layer 3 voice priority mechanisms that can be implemented in most managed switch networks and routers. VLANS may be required, depending on the implementation architecture chosen.

MiCloud Office recommended VoIP configuration settings for customer provided Firewalls Here outline the recommended VoIP configuration settings for customer provided Firewalls. The firewall should be able to protect the network from malicious Internet threats, prioritize VOIP traffic (via QOS), and allow access rules for MiCloud VoIP services. It should be noted that in the majority of cases there is no need to make any changes.

MiCloud Office USA Firewall requirements

MiCloud Office USA Firewall requirements (Continu)

MiCloud Office UK and FR Firewall requirements

MiCloud Office UK and FR Firewall requirements (Continu)

MiCloud Office Germany Firewall requirements

NTP requirements For initial configuration, Desktop and DECT devices requires their time to be set using NTP. By default they will use public NTP servers, but if this is not available then a suitable NTP source must be delivered using DHCP options.

Email requirements

Mitel uses SMTP email to deliver certain content, such as provisioning message, voicemail notifications, conference invites, analytics notifications etc.

In order to successfully receive these emails, the customer mail server must be set to accept mail from this address. Most systems will not be an issue, since the mitel email comes from a correctly registered domain, but some systems use a token exchange to validate sender.

Since the from address is not a monitored address on Mitel side, token exchange will not work. It is best for the customer to set the known address as a safe sender to ensure correct reception of emails.

The from addresses used by Mitel are: notification@micloud.solutions notification@micloudoffice.com notification@us.micloudoffice.com notification@de.micloudoffice.com notifications@callreporting.solutions

Mitel SIP phone implementation The phone used with the MiCloud Office Solution are SIP based sets; they can be connected to switch ports running at 10/100/1000. Each phone requires 48v power to function, which can be provided directly from the connected switch port, or from a separate PSU. If a separate PSU is to be used, it should be ordered with the Mitel IP set. Only use Mitel supplied PSUs as the phone sets must be supplied the correct amount of power to correctly function. The Mitel IP set supports a PC connected to the second port in the back of the set. The IP phone primary port must be connected directly to the powered port or PSU, not the secondary port

Cable or DSL Modems – Bridge mode required ISPs providing Cable or DSL modem services must have the modem configured in “bridge mode” when connecting to the premise firewall. In “bridge mode,” the modem functions only as a modem (disabling duplicate NAT & Routing) and forwards all incoming traffic to the directly connected firewall.

Prioritization of VoIP Traffic (QOS) All network traffic is subjected to bandwidth limitations, congestion, delay, and packet loss. When Voice over IP (VoIP) traffic travels across these network hazards, voice quality problems can occur. Quality of Service (QOS) is the set of techniques used to avoid the trenches of poor network performance, and ensure prioritization of Voice traffic. Best practice is to implement QOS techniques on LAN and WAN connections. We recommend network segmentation of the voice traffic and then configuring priority Voice QOS policies.

Disabling SIP / ALG Inside your network, the Application Layer Gateway (ALG) manages specific application protocols such as SIP (Session Initiation Protocol). ALG controls whether to allow or deny traffic into your network and does this by inspecting the traffic that passes through your network.

The purpose of SIP/ALG was to assist with SIP and NAT related problems by inspecting packets. SIP/ALG would

re-write SIP signaling information that would pass through NAT as information was carried between end-points.

However, in many cases SIP/ALG breaks SIP and rewrites the header information causing the following issues;

one-way audio, stuck dialing, failed call transfer, failure to retrieve of Call Park.

Firewall Configurations for Removing SIP ALG & NAT Settings

Adtran Router/Firewalls:

1) Login into the Command-line interface of the Adtran Router/Firewall

2) Elevate permissions to Privilege Configuration mode, hostnameRouter> enable

3) Elevate permissions to Global Configuration, hostnameRouter# config t

4) Issue the command on hostnameRouter(config)# no ip firewall alg sip

5) Issue the command on hostnameRouter(config)# exit

6) Issue the command on hostnameRouter# wr mem

Cisco ISR Routers:

1) Login into the Command-line interface Cisco ISR Router

2) Elevate permissions to Privilege Configuration mode, hostnameRouter> enable

3) Elevate permissions to Global Configuration, hostnameRouter# config t

4) Issue the command no ip nat service sip tcp port 5060 then, press enter key

5) Issue the command no ip nat service sip udp port 5060 then, press enter key

6) Issue the command exit then, press enter key

7) Issue the command wr mem to save changes

Cisco ASA Firewalls

1) Login into the Command-line interface

2) Elevate permissions to Privilege Configuration mode with the enable command, hostnameASA>

enable

3) Elevate permissions to Global Configuration with config terminal command, hostnameASA# config t

4) Issue the command on hostnameASA(config)# policy-map global_policy

5) Issue the command on hostnameASA(config-pmap)# class-map inspection_default

6) Issue the command on hostnameASA(config-pmap)# no inspect sip

7) Issue the command on hostnameASA(config-pmap)# exit

8) Issue the command on hostnameASA(config)# exit

9) Save changes by using the command on hostname# wr mem

Sonicwall Firewalls

1) Login into the Firewall administration page

2) Navigate VoIP > Settings page

3) Select the Check Box for Enable Consistent NAT

4) Ensure the box is Unchecked for “Use SIP Header Transformation” or “Enable SIP

Transformations”

5) Navigate Firewall Settings –> Advanced

6) Modify the field “Default UDP Connections Timeout (seconds)” to 300 seconds

7) Navigate Firewall –> Access Rules –> LAN>WAN -> Edit

8) Modify the field “Default UDP Connections Timeout (seconds)” to 300 seconds in the rule LAN-

>WAN.

Separating the LAN Traffic There are a number of methods for separating voice and data traffic that might best fit the network environment and cost. The benefit of separating LAN traffic ensures data traffic will not affect voice traffic across the LAN connections.

LAN Method 1 - Virtually Separating Voice & Data with Virtual Local Area Network (VLANS) Often a preferred method is to deploy a managed switch for the Mitel IP phones then, configure dedicated virtual networks (VLANs) for voice and data traffic.

The connection between the Mitel IP Phone & the managed switch will be an IEEE 802.1Q Trunk port- tagging voice frames for the voice VLAN, and leaving data frames untagged for the data plan. The Mitel IP Phone has VLAN settings available from the admin menu.

The connection between the managed switch and firewall can be an IEEE 802.1Q Trunk port or physical dedicated interfaces (1 Data Port & 1 Voice Port).

Trunk

Trunk

Firewall

Dedicated Voice VLAN Interface

Dedicated Data VLAN Interface

Internet

Mitel IP Phone Computer

Managed Switch

Data & Voice Shared WAN Interface

MiCloud

The connection between the Mitel IP Phone & the manage switch will be an IEEE 802.1Q Trunk port- tagging voice frames for the voice VLAN, and leaving data frames untagged for the data vlan. The Mitel IP Phone learns VLAN information from the DHCP Server options 43 or 125.

The connection between the manage switch & Firewall can be an IEEE 802.1Q Trunk port or physical separated dedicated interfaces (1 Data Port & 1 Voice Port).

Figure 1: Virtually Separating Voice & Data with Virtual Local Area Network

LAN Method 2 – Physically Separating Voice & Data Local Area Networks (LANs) Another method is to dedicate physical switches for the Mitel IP phones to separate voice & data LAN.

Note: Also configure separate networks on the Firewall. For Example, on the Firewall interface, Data network interface would be 192.168.1.1/24, and the voice network interface would be 172.16.1.1/24.

Firewall

Data Switch Voice Switch

Dedicated Voice LAN Interface

Dedicated Data LAN Interface

Internet

Shared Data & Voice WAN Interface

Mitel IP PhoneComputer

MiCloud

Figure 2: Physically Separating Voice & Data Local Area Networks

Separating the Voice and data WAN Traffic The WAN interface is typically the point of where voice & data traffic converges, and also compete for priority to send out traffic. There are a number of methods to managing a shared WAN connection or physically separating the WAN connections all together. WAN Method 1 – A Shared Voice & Data Wide Area Network (WAN) - Outbound Traffic (Egress) Often the most common method is to have a shared WAN connection for both data & voice traffic. Applying QOS policies to the WAN interface is crucial since, this is where traffic competes to send out, and where poor voice quality occurs the most. It is important to note that QoS polices can often only be applied towards outbound (egress) WAN traffic.

Trunk

Trunk

Firewall

Internet

Mitel IP PhoneComputer

Managed Switch

MiCloud

Data & Voice Shared WAN Interface

The WAN interface is the point of converging both Data & Voice networks. QOS policies must be applied in order to prioritize Voice Traffic and ensure Voice quality.

Figure 3: Shared Voice & Data Wide Area Network - Outbound

WAN Method 1.5 – A Shared Voice & Data Wide Area Network (WAN) - Inbound Traffic (Ingress) It is important to note that QoS polices can often only be applied towards outbound (egress) WAN traffic. This poses a challenge for inbound (ingress) WAN traffic. For example, a computer on the LAN has started a large download, which will then cause the ingress voice traffic to compete with the computer’s download traffic on the WAN connection. In order to prioritize ingress WAN traffic, the carrier/ISP must apply QoS policies towards the customer provided equipment.

Trunk

Trunk

Firewall

Internet

Mitel IP PhoneComputer

Managed Switch

MiCloud

In order to apply QOS Policies on inbound (download/ingress) traffic the ISP/Carrier must offer downstream QOS on the circuit. This is import to note if the circuit has heavy shared data & voice usage, as inbound traffic can effect voice quality.

QOS Policies are applied to outbound (upload/egress) traffic.

Figure 4: Shared Voice & Data Wide Area Network - Inbound

WAN Method 2 – Dedicated Voice & Data WAN connections

If there are multiple WAN connections, the Firewall can be configured to route the voice network across a dedicated Voice WAN connection. This would ensure that voice traffic does not have to compete for bandwidth and priority on a shared WAN connection.

Trunk

Trunk

Firewall

Internet

Mitel IP PhoneComputer

Managed Switch

Dedicated Data WAN Interface

Internet

Dedicated Voice WAN Interface

MiCloud

Figure 5: Dedicated Voice & Data WAN connections